Trust no-one: the challenge of implementing Zero Trust in legacy environments
Strong walls aren't enough to stop attackers, writes Guy Warren.
As the corporate world wakes up to new security challenges, we urgently need to adopt a different approach to security. Current global tensions have also aggravated the already turbulent security landscape, and for businesses to protect themselves against the most dangerous threats, they must start building a Zero Trust Approach, writes Guy Warren, CEO of ITRS Group.
In the past, security models have been built like a castle and a moat: the entrance to the castle is highly fortified and the assumption was that if you secure it well then everything within that boundary was safe. The same concept applies to firewalls, which also follow this model – it means that once within a system, users do not have to be continuously challenged to go about their business. And this remains the most common approach to security across the world.
Follow The Stack on LinkedIn
The obvious problem with this security model is that if hackers are able to find their way into the castle undetected, then wreaking havoc and identifying vulnerabilities is a frighteningly straightforward process.
One of the largest scale and most well-known examples of a ‘Trojan Horse’-style attack was the 2020 hacking of SolarWinds. Hackers targeted a third party with access to SolarWinds’ system and entered through the backdoor by impersonating users. Once inside, the hackers injected malware into the platform, compromising the data of around 18,000 devices* with devastating consequences.
Shifting mindsets
Events like this have unsurprisingly prompted a swift shift in mindset when it comes to cyber security. And this approach involves inherent suspicion of all users at all times, and it has been aptly named: Zero Trust.
The benefits are clear. If you assume every piece of software is not trustworthy and you oblige users to prove they’re authorised to access the software and then to carry out the action they’re attempting to every single time, the risk of hacking becomes almost negligible in comparison.
Whilst this involves a marginal decrease in performance, and marginal increase in load, the time taken to carry out these checks is only fractionally longer than not doing them and therefore well-worth the risks it mitigates.
Hurdles to Zero Trust remain
However, there remains a significant hurdle that firms must clear before Zero Trust can be effectively adopted across the board. Years of rapid digital transformation have left many IT systems straining under the weight of new technology they can no longer comfortably manage.
The financial services industry – much like most other technology-reliant sectors – is operating on legacy systems that are preventing them from transitioning towards a Zero Trust Approach.
Technologies such as middleware and mainframes were not designed with a Zero Trust Approach in mind and they would struggle to cope with the model. This is partly because they rely on a relatively long-lived session, which isn’t compatible with the speed and asynchronous way that requests would need to be sent to an API.
The solution: addressing the problem at the source
The answer is to teach developers how to write code with a Zero Trust Approach built in at the start. Cyber security has been marked as an area of particular concern by governments across the world, with the UK’s Department for Digital, Culture, Media & Sport revealing that in March 2022 nearly a third of firms were suffering from a cyber-attack hit every week.
Firms devising their security approach around penetration testing and hoping this covers their vulnerabilities are sadly mistaken. In the modern security landscape, this is far too simplistic an approach to cyber security and cannot protect firms from the sophisticated and targeted attacks of cyber criminals.
The only way to effectively protect a system is by adapting the security approach to include circumstances in which hackers have gained access to the system. And as mentioned, this will involve challenging users at every stage inside the system with the adoption of a Zero Trust Approach.
See also: Tips on building an actual Zero Trust environment in a complex hybrid world
As such, it’s increasingly important to have a software architecture that’s appropriate for the technology being used. It’s clear that legacy technologies are holding businesses back when it comes to increasing operational efficiencies, but the troubling reality is that they also make firms more vulnerable to cyber-attacks because they cannot cope with the adoption of more resilient security models.
Cyber threats will continue to proliferate, and firms urgently need to address security approaches that are no longer fit for purpose. As both the risk and scale of the potential damage of a security breach increases, firms must adopt a new model that can better protect their business and customers. Designing systems with a Zero Trust Approach built in from the start must become a fundamental step in the security process.
*Update 5 July 2022, 19:20 BST: This figure was edited to remove an inaccurate description of the extent of the SolarWinds incident.